Unfortunately I can't remember the author, but there was a paper
showing that an encrypted counter was secure to use as IVs for CBC
mode. So encrypting a shorter random IV should also be secure.
Greg.
On 2010 Jun 2, at 9:36 , Ralph Holz wrote:
Dear all,
A colleague dropped in yesterday and confronted me with the following.
He wanted to scrape off some additional bits when using AES-CBC
because
the messages in his concept are very short (a few hundred bit). So he
was thinking about a variant of AES-CBC, where he uses just 32
(random)
bits as a source for the IV. These are encrypted with AES and then
used
as the actual IV to feed into the CBC. As a result, he does not need
to
send a 128 bit IV to the receiver but just the 32 bit.
His argument was that AES basically is used as an expansion function
for
the IV here, with the added benefit of encryption. On the whole, this
should not weaken AES-CBC. Although he was not sure if it actually
would
strengthen it.
While I am prepared to buy this argument (I am not a
cryptographer...),
I still felt that the argument might not be complete. After all, 32
bits
don't provide much randomness, and I wasn't sure if this, overall,
would
not lead to more structure in the ciphercode - which might in turn
give
an attacker more clues with respect to the key.
Are there any opinions on this?
Regards,
Ralph
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
